The 12th edition of the House Oversight and Reform Committee’s FITARA Scorecard issued on July 28 offered a mildly positive story of progress that the largest Federal government agencies are making against a range of IT-related goals. But that’s not where the real news came from in the committee’s semiannual exercise on keep agencies honest on the tech front.
The biggest development for Federal IT came not from the agency scores themselves, but from a further showing of the growing interest among members of Congress to get a more visible and vigorous handle on the biggest issue in Federal IT – cybersecurity.
That increasing level of demand from lawmakers – coupled with White House cybersecurity policy that is trending toward a much more in-depth and measurable view of how well the government defends its networks – means the chances are going up that cybersecurity not only takes a bigger role in future FITARA gradings, but that Federal agencies will be under a sharper political and regulatory microscope to engineer better defenses.
One legislative avenue to get there that is quickly gaining steam in Congress and with cyber experts in the Biden administration is to rewrite the Federal Information Security Management Act (FISMA), a 2014 law that governs how and to what frequency Federal agencies report on their cybersecurity posture. While the administration rushes on numerous fronts to implement President Biden’s cybersecurity executive order issued in May, the current FISMA requirements are looking increasingly outdated in the face of today’s ever more sophisticated and costly cyberattacks.
Here’s a look at the current scope of the scorecard, but also developing factors in Congress and the executive branch that will be driving change on Federal agency security – and its visibility to FITARA scorekeepers – going forward.
On a top-line basis, the latest FITARA Scorecard showed four of the 24 ranked agencies – the departments of State and Interior, and the Social Security Administration and General Services Administration (GSA) – getting better grades.
Two agencies – the departments of Justice and Veterans Affairs – got lower grades, and the remaining 18 agencies hung steady with their marks from December 2020 when the previous scorecard was issued.
No agency got a failing grade, although Justice came close with a “D-” mark, and only GSA aced the scorecard with an “A+” grade.
One of the scorecard’s eight grading categories is for cybersecurity, and that became one of the hotter-button issues for members of Congress at the House Government Operations Subcommittee’s hearing on July 28 to evaluate the latest FITARA Scorecard rankings. Leaders of the subcommittee, with help from the Government Accountability Office (GAO), are the prime movers behind assigning the grades.
For many agencies, grading in the cybersecurity category was less kind than their overall scores: two agencies – GSA and NASA – got “A” grades; five got “B” marks; eight managed a “C” grade; seven earned “D” marks; and the Commerce Department got a failing grade.
The cybersecurity grades are derived from reports generated by the agencies themselves, and agency inspectors general (IG), under the FISMA law. The 2014 law requires agencies to report the status of their information security programs to the Office of Management and Budget (OMB), and instructs agency IGs to conduct annual audits of the program. OMB issues periodic guidance to agencies on how to conduct their reporting, but is bound by the scope of the law.
The often-voiced knock on FISMA is that it was enacted seven years ago before the current generation of non-stop cyber attacks came into play, and that the reporting requirements are viewed as a compliance exercise rather than as a spur to dramatic action to improve security. In other words, FISMA and its security requirements for agencies need to catch up with the current threat level and the technologies available to put into the fight.
More Agency Cyber Transparency
Given the white-hot focus in Congress this year on major cyber breaches – SolarWinds, Microsoft Exchange, Colonial Pipeline, and more – the Government Operations Subcommittee hearing on July 28 quickly turned to cybersecurity, and ways to evolve the FITARA Scorecard to place more emphasis on security.
In particular, subcommittee Ranking Member Jody Hice, R-Ga., said it was time to “take a fresh look at the entire process” and try to come up with different metrics that would reflect the success of legislative and executive branch policies, and make them quantifiable from agency to agency. Rep. Hice also suggested that consideration be given to additional scorecard mechanisms to shed more light on the cybersecurity status of individual Federal agencies.
“That is easier said than done,” Rep. Hice cautioned, but added, “I’d like to take a look at these before we move on to FITARA [Scorecards] 13 and 14.”
Subcommittee Chairman Gerry Connolly, D-Va., pledged “of course” to work with Rep. Hice on possible scorecard changes going forward. “I definitely see the FITARA Scorecard as a work in progress,” he said. His only note of caution on the prospect of category changes was to continue oversight of the current grading categories.
FISMA Reform Heating Up
At the same time that the FITARA Scorecard graders are talking about how to shed more light on Federal agency cybersecurity performance, one of the ways to maybe get there – a rewrite of the FISMA law – is finding more friends in both houses of Congress, and the Biden administration.
On the House side, Rep. Connolly – who was a prime mover behind the effort to update FISMA in 2014 from its previous 2002 version – continues to be interested in updating the current law.
But the biggest push is coming from the Senate, where leaders of the Senate Homeland Security and Governmental Affairs Committee have talked about FISMA reform for months.
Chairman Gary Peters, D-Mich., and Ranking Member Rob Portman, R-Ohio, crystallized many of their criticisms of the current statute earlier this month when they hammered several agencies for slow progress on improving cybersecurity and for failing to meet FISMA requirements.
Among other steps, the two senators endorsed a committee report arguing for an update of the 2014 FISMA law to: 1) reflect “current cybersecurity best practices” including focusing on mitigating “identified and analyzed” security risks; 2) formalize the role of the Cybersecurity and Infrastructure Security Agency (CISA) as the “operational lead for Federal cybersecurity”; and 3) require Federal agencies and contractors to notify CISA of certain cyber incidents.
The senators have yet to introduce a FISMA reform bill, but Sen. Portman promised legislation later this year to address some of the report’s recommendations. The report issued by the committee seeks, among other steps, an OMB policy that requires Federal agencies to use a risk-based budgeting model for IT investments, and creation of a “primary” Federal office for responsible for cybersecurity and coordinating a governmentwide cybersecurity strategy.
Biden Administration Support
At the same time, Federal Chief Information Security Officer Chris DeRusha has emerged as a vocal supporter of FISMA reform as he works to help implement the White House’s cybersecurity executive order.
Earlier this month, DeRusha offered an expanded take on his support for a rewrite of the law, and said one of the hoped-for outcomes of changes to the law would be in requirements to measure agency cybersecurity performance.
“That’s something that Congress is also very interested in,” said DeRusha, who added he is “very excited” to work with lawmakers on what he called an existing draft bill. Explaining his support, DeRusha noted that the current law dates to 2014, and needs some changing. “It was the last time we codified those responsibilities across Federal government, and you know what’s changed since then, so that would be a great opportunity to dig into cybersecurity a little bit deeper,” he said.
One of his specific FISMA-related goals is to “shift from untested security to tested security” for Federal agencies that involves performing penetration and red-team testing of agency networks.
“We’ll be starting to this year incrementally move the way that we measure performance and agencies towards risk-based models, to form risk-based cyber budgeting, and really just be focused on reducing the attack surface, and focusing on controls, and in more detailed ways, that are really getting the highest bang for the buck outcomes,” DeRusha said. “We’ve got to align those strategic goals with FISMA,” he said.
In addition to supporting the current legislative push, DeRusha said updated FISMA guidance to agencies should be coming from OMB in 2022.
Officials from top providers of IT equipment and services to the Federal government are also keying in on the overriding need to improve security and modernize infrastructure.
“Government agencies are in a time of transition and objective guidance is always helpful to focus efforts,” Jim Richberg, public sector CISO at Fortinet, told MeriTalk. “The hybrid reality of everything now from threats to work, and IT in general is not an easy challenge to solve especially as modernization projects create more edges and clouds to secure and manage.”
“Government and the cybersecurity industry need close partnership in developing solutions that can provide efficiency and allow long term flexibility without sacrificing performance or security,” Richberg said.
Jeff Chancellor, principal systems engineer at Software AG, said his firm is providing its customers with enterprise architecture and IT portfolio management solutions that provide increased transparency to key indicators for performance and quality measurements for strategic decision-making.
As a result, he said, “Our current customers are expecting to improve scores related to the FITARA areas: transparency & risk management; portfolio management and rationalization; modernization; and cybersecurity compliance.”
The winds in Congress and the executive branch are blowing stronger than ever in favor of FISMA reform in order to bring the law – and what Federal agencies need to do to improve security – up to the needs of the current-day cyber threat environment. As always, predicting with any certainty what Congress may end up doing is a slippery slope – many more bills get introduced than get passed, and many that seem to face smooth sailing end up falling off the rails. But if current sentiment is any indicator, the chances are growing for reform of the statute, implementation of more rigorous requirements by the Biden administration for Federal agency cybersecurity, and a whole lot more visibility on that front in future FITARA Scorecard gradings.